Posted by Alexander Hanff on March 11, 2015.
Last week a coalition of NGOs issued a report on the latest changes to the draft General Data Protection Regulation made by the Council of Europe titled “Data Protection Broken Badly”. The eight page document talks about a number of issues such as the “one stop shop”, “legitimate interest” and consent.
As someone who has followed the Draft since it was first leaked in December 2011 and was present at the “launch” of the document by the European Commission in Brussels on 25th January 2012 – I feel it is important to put the latest changes into context.
First and foremost, I agree that the changes by the Council are appalling – there is no disputing that. However, it is not at all surprising and is really par for the course and illustrates the very real problem we have with the issue of corporate lobbying. The draft GDPR has been hammered, reforged, twisted and mutated since before it even became public in 2012. For example, the original leaked draft from December 2011 included Article 42 which would have provided some protection against the types of surveillance which has become public knowledge through the revelations of Edward Snowden. Known as the “Anti-FISA” clause it would have required companies not to hand over data on European citizens to foreign intelligence organisations without following the established legal route (presumably through Mutual Legal Assistance Treaties or MLATs). This would mean that secret court orders under the US Foreign Intelligence Surveillance Act and PATRIOT Act would in principle not be acceptable and could potentially lead to the break down of the Safe Harbour Agreement. The clause was not perfect but under lobbying from the US government, the European Commission removed it from the draft which was presented in January 2012.
Then in 2013, Jan Albrecht presented the Parliament’s draft and it looked significantly different to the original Commission document. It was in fact the European Parliament which first introduced clauses relating to “legitimate interest” not the Council of Europe – furthermore, the Parliament under pressure from corporate lobbyists added an exemption on consent for companies that pseudonymised the data they collected. This was an absolutely lethal blow to the privacy rights of European citizens – pseudonymisation doesn’t even de-link data from an individual, it merely associates a new unique identifier to that individual which actually makes identification at the technology level much easier – it is far easier for a computer algorithm to identify an individual from a unique numeric or alphanumeric string than it is from first name, last name, date of birth, social security number etc. Invoking an exemption for pseudonymisation was a disastrous move by the European Parliament and perhaps one of the worst amendments to the draft GDPR to date. When you couple that with the “Legitimate Interest” exemption also introduced by the European Parliament, you have basically removed any perceived privacy rights from the individual.
It was the European Parliament which was responsible for the lobbying scandal which saw entire clauses being lifted from corporate lobbying documents and pasted into the draft GDPR verbatim. The European Parliament paved the way for those same lobbyists to pressure the Council into their latest failings and failed completely to represent the interests of their constituents. So the draft GDPR was already significantly gutted before it ever reached the Council, the Parliament had all but shredded the original draft and filled it with the intentions of their corporate sponsors – to say the process was corrupted would be an understatement of the highest order.
So now we see the latest scandal with NGOs accusing the Council of destroying the draft GDPR and undermining the existing rights of citizens under Directive 95/46 and failing to comply with the Lisbon Treaty or Article 8 of the European Convention on Human Rights and I am sorry but it is laughable. Yes the changes by the Council are bad but the draft was all but destroyed by the washing it received in the Parliament – it was already so weak as to fail at all the levels civil society are now accusing the Council of.
The bottom line is, the draft GDPR is an aberration of law and democracy – it is a twisted and deformed thing which will be used to create the privacy and data protection nightmare of the next generation. It will open the door to more surveillance, more intrusion on our private lives and it will wedge that door open so wide that any hope of fundamental rights will be sucked out leaving a vacuum and it is unlikely that we can defend against this given that the anti-privacy brigade currently occupies a very comfortable majority in the European Parliament, which is our last bastion of hope that we can defeat the current draft.
The responsibility for this is trilateral and falls at the feet of the European Commission, Parliament and the Council but it is the hundreds of millions of European citizens who will suffer the consequences whilst giant US corporations will reap the profits when they harvest the data that these three political bodies planted the seeds for when they surrendered their responsibilities to the people.